Microsoft published the January 2018 Patch Tuesday security updates this week. The release includes fixes for 56 vulnerabilities and three special security advisories with fixes for Adobe Flash, the Meltdown & Spectre flaws, as well as a defense-in-depth update for Office Applications.

Things were a little messy this month however. Microsoft released an emergency out-of-band security update for the now infamous Meltdown & Spectre vulnerabilities on January 3rd. That emergency update was supposed to be part of this week’s Patch Tuesday. Besides fixes for the Meltdown & Spectre flaws, the out-of-band update also contained fixes for other security bugs.

Microsoft Patches Zero Day in Office

While Meltdown & Spectre bugs captured everyone’s attention, this Patch Tuesday update deliver important fixes on their own. The most important of these is a zero-day vulnerability in the Microsoft Office and Microsoft WordPad applications. Microsoft describes the flaw (CVE-2018-0802) as a memory corruption issues that allows attackers to execute code on a victim’s PC. The flaw appears to reside in an old version of the Office Equation Editor component.

Microsoft acknowledges several researchers with discovering the flaw – Qihoo 360, Tencent, opatch Team, and Check Point – and said the OS maker addressed the zero-day by removing some of the Equation Editor’s functionality.

A security firm pointed out that the Equation Editor was an antiquated and vulnerable component in November 2017. Cybercrime groups quickly moved to exploit the flaw. Now it appears that other groups found the methods to exploit the same component, after previous research pointed out it may be a weak spot in the Office suite.

Microsoft similarly got rid of another feature called Dynamic Data Exchange (DDE) after malware groups began abusing it again, after it previously been abused in the 90s. Microsoft removed DDE only from Word, but not all the entire Office suite.

Patch for Mailsploit Attack

Also this month, Microsoft patched the Mailsploit vulnerability in Outlook for Mac (CVE-2018-0819) that allowed miscreants to send emails with spoofed identities.

Microsoft advisory ADV180001 also includes this month’s Adobe Flash security updates, consisting of one bugfix for CVE-2018-4871 (out-of-bounds read that leads to information disclosure).

Security Release Roundup

All in all, Microsoft patched bugs in Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office, and Microsoft Office Services & Web Apps, SQL Server, Chakracore, .Net Framework, .Net Core, and ASP.NET Core. You can review the entire report of all the security issues Microsoft released this month, here. TSI has tested these updates and deployed them to our managed clients connected workstations as well as servers.